On Mon, Mar 28, 2016 at 10:55:06AM -0500, Endi Sukma Dewata wrote: > On 3/28/2016 10:00 AM, Rob Crittenden wrote: > >Timothy Geier wrote: > >>>Thanks for the procedure..the good news is this worked quite > >>>well in making sure that 389 didn’t crash immediately after > >>>startup. The bad news is that the certificates still didn’t > >>>renew due to > >>> > >>>Server at "http://master_server:8080/ca/ee/ca/profileSubmit > >>><https://mail.accertify.com/owa/redir.aspx?REF=hBo37W2qnlmUfAeXTrhGw6WdavZzsQoMPQ85UuuxxhZLgX6LCUDTCAFodHRwOi8vbWFzdGVyX3NlcnZlcjo4MDgwL2NhL2VlL2NhL3Byb2ZpbGVTdWJtaXQ.>" > >>> > >>>replied: Profile caServerCert Not Found > >>> > >>>which was the same error in getcert list I saw that one time > >>>389 didn’t crash right away. At least now this can be further > >>>troubleshooted without worrying about 389. > >>> > >>> > >> > >>To follow up on this issue, we haven’t been able to get any > >>further since last month due to the missing caServerCert > >>profile..the configuration files > >>/usr/share/pki/ca/profiles/ca/caServerCert.cfg and > >>/var/lib/pki/pki-tomcat/ca/profiles/ca/caServerCert.cfg are > >>present and are identical. The pki-ca package passes rpm -V as > >>well. Are there any other troubleshooting steps we can take? > > > >Maybe Endi or Ade have some ideas why the CA isn't recognizing > >the profile. > > > >rob > > > > Fraser, is it possible the profile is missing from LDAP? > There is a ticket for a situation where migration of profiles to LDAP does not occur: https://bugzilla.redhat.com/show_bug.cgi?id=1300252
See also upstream ticket: https://fedorahosted.org/freeipa/ticket/5682 The fix is awaiting release for RHEL. A possible workaround is to modify /var/lib/pki/pki-tomcat/ca/conf/CS.cfg, replacing the value: com.netscape.cmscore.profile.LDAPProfileSubsystem with: com.netscape.cmscore.profile.ProfileSubsystem Then running `ipa-server-upgrade`. The upgrade program should observe that LDAP-based profiles are not enabled, re-enable the LDAPProfileSubsystem and import all file-based profiles into the database. If you are able to try this procedure, let me know how it goes. Cheers, Fraser > Timothy, could you provide us with the CA debug logs > (/var/log/pki/pki-tomcat/ca/debug) and CA configuration file > (/var/lib/pki/pki-tomcat/ca/conf/CS.cfg)? > > Thanks! > > -- > Endi S. Dewata -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
